Messages

1

24.1 Legacy Series / Re: DHCP relay - Option 82 - agent.circuit-id

« on: April 26, 2024, 11:55:01 pm »

Ditto to this, DHCP relay is completely broken now after updating this morning. I see requests going to Infoblox and Infoblox is responding. Devices aren't getting IPs.

2

23.1 Legacy Series / Re: Big problems since 23.1 update (update checks, dpinger, haproxy)

« on: June 30, 2023, 02:09:44 am »

Ditto to this. I just switched to new hardware (running opnsense on infoblox appliance) and the install went great. I'm getting intermittent DNS lookup errors when trying to check for updates or do package audits and even trying to manually revert to 23.1.8 from .10, I had to run the command ~10x for the DNS to work consistently across the downgrade process.

I have multiple IPSec tunnels, historically, I use DDNS hostnames  for the endpoints and everything has worked fine, but I'm getting DNS lookup errors in the IPSec logs so I've had to switch to IPs for the endpoints to the time-being.

Additionally, the VTI monitoring tanked and dpinger is reporting 100% loss across the VTI gateway, but traffic is still going across and BGP peers are still forming!

Considering reverting to 22.x..

3

23.1 Legacy Series / Re: FRR - Severity Error

« on: June 30, 2023, 02:04:39 am »

Are you running BFD with the BGP neighbor? And I'm assuming you're giving enough time for the BGP hold timer to expire, unless you've manually set it low.?

4

23.1 Legacy Series / Creating new vlan and interface broken

« on: June 27, 2023, 01:26:22 pm »

I haven't attempted to create a new interface in a few months, but at some point the process seems to be broken. I've been running opnsense for 3 years now and this is the first time I've had this issue. I create a new vlan, add the interface, configure a static IP and add a any/any firewall rule for the interface (just to make sure) and then I attempt to the ping the interface IP (which should be up) and results are intermittent.

Code: [Select]

Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=4ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=1ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=2ms TTL=64
Reply from 10.0.3.254: bytes=32 time=1ms TTL=64
Reply from 10.0.3.254: bytes=32 time=1ms TTL=64
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.

When I ssh into the box check the interfaces, there are some inconsistences between different type of vlans, for example

Vlan 1270 which I've been running for ~3 years has this config and the new vlan 1236 has this minimal config.
Can anyone else duplicate this?

Code: [Select]

igb1_vlan1270: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LDAP (opt8)
        options=4000000<NOMAP>
        ether 90:e2:ba:25:e3:31
        inet 10.0.1.214 netmask 0xfffffff8 broadcast 10.0.1.215
        groups: vlan
        vlan: 1270 vlanproto: 802.1q vlanpcp: 0 parent interface: igb1
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

igb1_vlan1236: flags=8003<UP,BROADCAST,MULTICAST> metric 0 mtu 1500
        description: F5_VIPs (opt31)
        ether 90:e2:ba:25:e3:31
        inet 10.0.3.254 netmask 0xffffff00 broadcast 10.0.3.255
        groups: vlan
        vlan: 0 vlanproto: 0x0000 vlanpcp: 0 parent interface: <none>
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>


5

Virtual private networks / Integrate keychain for Symmetric Keys

« on: October 07, 2022, 11:53:20 pm »

In lieu of an integrated keychain that supports key rotation on a certain date/time, I wrote a bash script to rotate the keys instead. However, the keys are hashed or encrypted in the config file. Does anyone happen to know the method the obfuscates the keys inside the ipsec.secrets file?

6

General Discussion / NETFLOW export to Splunk

« on: March 03, 2022, 09:48:18 pm »

Has anyone tested sending netflow data to splunk? I've captured data using an intermediate forwarder as well as directly into a splunk indexer. When data is sent to the Intermediate forwarder, the data is gibberish, when it's sent to the indexer it's never received. Thoughts?

7

Virtual private networks / Re: Separate IPSEC VTI per Phase 1

« on: May 08, 2021, 06:36:25 pm »

I see the con0/1 interfaces under the ipsec config but those probably aren't polled since they aren't a VTI. I've checked 'Do not install routes' to see if I could force a change but that doesn't seem to be working. I still only have the enc0 showing up as the ipsec interface if I check with ifconfig.

8

Virtual private networks / Separate IPSEC VTI per Phase 1

« on: May 08, 2021, 05:08:56 pm »

Is it possible to have a separate Virtual Tunnel Interface per Phase 1? E.g. with IPSEC actively working with 1 or more IPSEC connections to different locations, the VTI created is 'enc0'. This makes monitoring with NMS difficult since the only interface being reported by SNMP is 'enc0'